How to Test Web Applications against SQL Injection Attacks

SQL injection is a technique often used to attack databases through a website.

Definition: A malicious user could provide unexpected inputs to the application that are then used to frame and execute SQL statements on the database.

Explained As:

Injection is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker).

Using this an attacker can do-

• Bypassing Logins
  
• Accessing secret data
  
• Modifying contents of website
  
• Shutting down the My SQL server

Since the consequences of allowing the SQL injection technique could be severe, SQL injection should be tested during the security testing of an application.

Example: User need to enter username and Password

User enters “ John ” and “ Smith ” as details. So SQL will be formed as

SELECT * FROM Users WHERE UserName = ‘John’ AND Password = ‘Smith’;

But if user enters UserName like “John’- “. Then SQL be formed as

SELECT * FROM Users WHERE UserName = ‘John’– AND Password = ‘Smith’;

Note that the part of the SQL statement after John is turned into a comment. If there were any user with the user name of John in the Users table, the application could allow the tester to log in as the user John. The tester could now view the private information of the user John.

Technical Implementations

• Incorrectly filtered escape characters

This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement.

Users can type input in user name like - John’ OR ‘1’=’1’

SELECT * FROM users WHERE name = '' OR '1'='1';

This will fetch any member with John as username.
Or If he can enter in username like a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

This will build SQL like

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

• Incorrect type handling

This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric

Statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"

So user need to enter a numeric value for the “id”. If he enters like “ 1;Drop table users “
SQL build as

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

• Conditional responses

One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen.

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='1';

This will fetch all the book from the table though user do not have any particular search criteria.

Mitigation

Need to consider the below thing while doing the coding

• Parameterized statements
  
• Escaping
  
• Pattern check
  
• Database Permissions

References

• "SQL Injection Prevention Cheat Sheet". Open Web Application Security Project. Retrieved 3 March 2012.
  
• Why SQL Injection Won't Go Away, by Stuart Thomas
  
• SDL Quick security references on SQL injection by Bala Neerumalla.